CVE-2023-36709
📋 TL;DR
This vulnerability in Microsoft's AllJoyn API allows attackers to cause a denial of service (DoS) by sending specially crafted packets to vulnerable systems. It affects Windows devices with AllJoyn enabled, potentially causing system crashes or service disruptions. The vulnerability stems from a NULL pointer dereference (CWE-476) in the API implementation.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash requiring reboot, disrupting critical services and potentially causing data loss in unsaved transactions.
Likely Case
Service disruption affecting AllJoyn-dependent applications, causing temporary unavailability of IoT device connectivity and related functionality.
If Mitigated
Minimal impact with proper network segmentation and AllJoyn service disabled on non-essential systems.
🎯 Exploit Status
Exploitation requires network access to vulnerable systems with AllJoyn service enabled and listening.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply September 2023 security updates or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36709
Restart Required: Yes
Instructions:
1. Apply September 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems to complete installation.
🔧 Temporary Workarounds
Disable AllJoyn Service
windowsDisable the AllJoyn Router Service if not required for IoT device connectivity.
sc config AJRouter start= disabled
sc stop AJRouter
Network Segmentation
windowsRestrict network access to AllJoyn service (typically UDP port 9956) using firewall rules.
netsh advfirewall firewall add rule name="Block AllJoyn" dir=in action=block protocol=UDP localport=9956
🧯 If You Can't Patch
- Disable AllJoyn Router Service on all systems where IoT device connectivity is not required
- Implement strict network segmentation and firewall rules to block UDP port 9956 from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if AllJoyn Router Service (AJRouter) is running and system has not applied September 2023 security updates.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify September 2023 security updates are installed and AllJoyn service is either patched or disabled.📡 Detection & Monitoring
Log Indicators:
- Event ID 1000 application crashes for svchost.exe hosting AJRouter
- Unexpected AllJoyn service restarts in system logs
Network Indicators:
- Unusual UDP traffic on port 9956 from external sources
- Multiple connection attempts to AllJoyn service
SIEM Query:
EventID=1000 AND SourceName="Application Error" AND ProcessName="svchost.exe" AND Service="AJRouter"